@vibecodemax/cli 0.1.2 → 0.1.3

package/dist/storageS3.js

@@ -0,0 +1,630 @@
+import * as fs from "node:fs";
+import * as path from "node:path";
+import * as crypto from "node:crypto";
+import { S3Client, HeadBucketCommand, CreateBucketCommand, PutPublicAccessBlockCommand, PutBucketEncryptionCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketCorsCommand, GetBucketLocationCommand, GetPublicAccessBlockCommand, GetBucketEncryptionCommand, GetBucketOwnershipControlsCommand, GetBucketPolicyCommand, GetBucketCorsCommand, PutObjectCommand, ListObjectsV2Command, DeleteObjectCommand, GetObjectCommand, } from "@aws-sdk/client-s3";
+import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
+const SETUP_CONFIG_PATH = path.join(".vibecodemax", "setup-config.json");
+const DEFAULT_BUCKETS = {
+    public: "public-assets",
+    private: "private-uploads",
+};
+const DEFAULT_PROJECT_SLUG = "vibecodemax";
+const DEFAULT_REGION = "us-east-1";
+const HEALTHCHECK_PREFIX = "_vibecodemax/healthcheck/default";
+const PUBLIC_ACCESS_BLOCK_PRIVATE = {
+    BlockPublicAcls: true,
+    IgnorePublicAcls: true,
+    BlockPublicPolicy: true,
+    RestrictPublicBuckets: true,
+};
+const PUBLIC_ACCESS_BLOCK_PUBLIC = {
+    BlockPublicAcls: true,
+    IgnorePublicAcls: true,
+    BlockPublicPolicy: false,
+    RestrictPublicBuckets: false,
+};
+const BUCKET_CORS_CONFIGURATION = {
+    CORSRules: [
+        {
+            AllowedOrigins: ["*"],
+            AllowedMethods: ["PUT", "POST", "GET", "HEAD"],
+            AllowedHeaders: ["*"],
+            ExposeHeaders: ["ETag", "x-amz-request-id", "x-amz-id-2"],
+            MaxAgeSeconds: 3000,
+        },
+    ],
+};
+const BUCKET_NAME_REGEX = /^(?!xn--)(?!.*\.\.)(?!.*\.$)(?!\d+\.\d+\.\d+\.\d+$)[a-z0-9][a-z0-9.-]{1,61}[a-z0-9]$/;
+function printJson(value) {
+    process.stdout.write(`${JSON.stringify(value)}\n`);
+}
+function fail(code, message, exitCode = 1, extra = {}) {
+    printJson({ ok: false, code, message, ...extra });
+    process.exit(exitCode);
+}
+function readFileIfExists(filePath) {
+    try {
+        return fs.readFileSync(filePath, "utf8");
+    }
+    catch {
+        return "";
+    }
+}
+function parseDotEnv(content) {
+    const env = {};
+    for (const rawLine of content.split(/\r?\n/)) {
+        const line = rawLine.trim();
+        if (!line || line.startsWith("#"))
+            continue;
+        const eq = line.indexOf("=");
+        if (eq === -1)
+            continue;
+        const key = line.slice(0, eq).trim();
+        const value = line.slice(eq + 1).trim();
+        if (!key)
+            continue;
+        env[key] = value;
+    }
+    return env;
+}
+function loadLocalEnv(cwd = process.cwd()) {
+    const envLocalPath = path.join(cwd, ".env.local");
+    const envBootstrapPath = path.join(cwd, ".env.bootstrap.local");
+    return {
+        envLocalPath,
+        envBootstrapPath,
+        values: {
+            ...parseDotEnv(readFileIfExists(envLocalPath)),
+            ...parseDotEnv(readFileIfExists(envBootstrapPath)),
+        },
+    };
+}
+function readSetupConfig(cwd = process.cwd()) {
+    const raw = readFileIfExists(path.join(cwd, SETUP_CONFIG_PATH)).trim();
+    if (!raw)
+        return {};
+    try {
+        const parsed = JSON.parse(raw);
+        return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : {};
+    }
+    catch {
+        return {};
+    }
+}
+function isNonEmptyString(value) {
+    return typeof value === "string" && value.trim().length > 0;
+}
+function readStringFlag(flags, key) {
+    const value = flags[key];
+    return typeof value === "string" ? value.trim() : "";
+}
+function mergeEnvFile(filePath, nextValues) {
+    const existing = parseDotEnv(readFileIfExists(filePath));
+    const merged = { ...existing, ...nextValues };
+    const keys = Object.keys(merged).sort();
+    const content = `${keys.map((key) => `${key}=${merged[key]}`).join("\n")}\n`;
+    fs.writeFileSync(filePath, content, "utf8");
+}
+function normalizeProjectSlug(input) {
+    if (typeof input !== "string")
+        return null;
+    const slug = input
+        .trim()
+        .toLowerCase()
+        .replace(/[^a-z0-9-]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .replace(/-+/g, "-");
+    if (!slug)
+        return null;
+    return slug.slice(0, 24);
+}
+function deriveProjectSlug(flags, setupConfig, cwd) {
+    const storageConfig = setupConfig.storage && typeof setupConfig.storage === "object" ? setupConfig.storage : {};
+    const candidates = [
+        readStringFlag(flags, "project-slug"),
+        setupConfig.projectSlug,
+        setupConfig.projectName,
+        setupConfig.appName,
+        setupConfig.name,
+        storageConfig.projectSlug,
+        path.basename(cwd),
+        DEFAULT_PROJECT_SLUG,
+    ];
+    for (const candidate of candidates) {
+        const normalized = normalizeProjectSlug(candidate);
+        if (normalized)
+            return normalized;
+    }
+    return DEFAULT_PROJECT_SLUG;
+}
+function normalizeRegion(value) {
+    if (!isNonEmptyString(value))
+        return null;
+    const trimmed = value.trim();
+    return /^[a-z]{2}-[a-z]+-\d$/.test(trimmed) ? trimmed : null;
+}
+function resolveRegion(flags, envValues, setupConfig) {
+    const storageConfig = setupConfig.storage && typeof setupConfig.storage === "object" ? setupConfig.storage : {};
+    return (normalizeRegion(readStringFlag(flags, "region"))
+        || normalizeRegion(envValues.AWS_REGION)
+        || normalizeRegion(envValues.AWS_DEFAULT_REGION)
+        || normalizeRegion(storageConfig.region)
+        || DEFAULT_REGION);
+}
+function requiresSessionToken(accessKeyId) {
+    return accessKeyId.startsWith("ASIA");
+}
+function readAwsContext(flags, cwd = process.cwd()) {
+    const setupConfig = readSetupConfig(cwd);
+    const localEnv = loadLocalEnv(cwd);
+    const accessKeyId = localEnv.values.AWS_ACCESS_KEY_ID || "";
+    const secretAccessKey = localEnv.values.AWS_SECRET_ACCESS_KEY || "";
+    const sessionToken = localEnv.values.AWS_SESSION_TOKEN || "";
+    const region = resolveRegion(flags, localEnv.values, setupConfig);
+    const projectSlug = deriveProjectSlug(flags, setupConfig, cwd);
+    const missingKeys = [];
+    const presentKeys = [];
+    if (isNonEmptyString(accessKeyId))
+        presentKeys.push("AWS_ACCESS_KEY_ID");
+    else
+        missingKeys.push("AWS_ACCESS_KEY_ID");
+    if (isNonEmptyString(secretAccessKey))
+        presentKeys.push("AWS_SECRET_ACCESS_KEY");
+    else
+        missingKeys.push("AWS_SECRET_ACCESS_KEY");
+    if (isNonEmptyString(localEnv.values.AWS_REGION))
+        presentKeys.push("AWS_REGION");
+    else if (normalizeRegion(setupConfig.storage?.region)) {
+        // region is supplied structurally; no missing key required
+    }
+    else {
+        missingKeys.push("AWS_REGION");
+    }
+    if (isNonEmptyString(accessKeyId) && requiresSessionToken(accessKeyId)) {
+        if (isNonEmptyString(sessionToken))
+            presentKeys.push("AWS_SESSION_TOKEN");
+        else
+            missingKeys.push("AWS_SESSION_TOKEN");
+    }
+    else if (isNonEmptyString(sessionToken)) {
+        presentKeys.push("AWS_SESSION_TOKEN");
+    }
+    return {
+        cwd,
+        setupConfig,
+        localEnv,
+        region,
+        projectSlug,
+        accessKeyId: accessKeyId.trim(),
+        secretAccessKey: secretAccessKey.trim(),
+        sessionToken: sessionToken.trim(),
+        missingKeys,
+        presentKeys,
+    };
+}
+function deterministicBuckets({ accountId, projectSlug }) {
+    const slug = normalizeProjectSlug(projectSlug) || DEFAULT_PROJECT_SLUG;
+    const suffixSeed = `${slug}:${accountId || "acct"}`;
+    const suffix = crypto.createHash("sha1").update(suffixSeed).digest("hex").slice(0, 8);
+    const prefixBase = `${slug}-${suffix}`;
+    const makeName = (postfix) => {
+        let candidate = `${prefixBase}-${postfix}`.replace(/-+/g, "-");
+        if (candidate.length <= 63)
+            return candidate;
+        const overflow = candidate.length - 63;
+        const shortenedSlug = slug.slice(0, Math.max(3, slug.length - overflow));
+        candidate = `${shortenedSlug}-${suffix}-${postfix}`.replace(/-+/g, "-");
+        return candidate.slice(0, 63).replace(/-+$/g, "");
+    };
+    const buckets = {
+        public: makeName(DEFAULT_BUCKETS.public),
+        private: makeName(DEFAULT_BUCKETS.private),
+    };
+    for (const [key, value] of Object.entries(buckets)) {
+        if (!BUCKET_NAME_REGEX.test(value)) {
+            fail("INVALID_BUCKET_NAME", `Derived ${key} bucket name is invalid.`, 1, { bucket: value });
+        }
+    }
+    return buckets;
+}
+function createAwsClients(region, credentials) {
+    const config = {
+        region,
+        credentials: {
+            accessKeyId: credentials.accessKeyId,
+            secretAccessKey: credentials.secretAccessKey,
+            ...(credentials.sessionToken ? { sessionToken: credentials.sessionToken } : {}),
+        },
+    };
+    return {
+        s3Client: new S3Client(config),
+        stsClient: new STSClient(config),
+    };
+}
+async function validateCredentials(region, credentials) {
+    try {
+        const { stsClient } = createAwsClients(region, credentials);
+        const identity = await stsClient.send(new GetCallerIdentityCommand({}));
+        return {
+            accountId: identity.Account || null,
+            arn: identity.Arn || null,
+            userId: identity.UserId || null,
+        };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "AWS credential validation failed.";
+        fail("AWS_AUTH_FAILED", message, 1, { region });
+    }
+}
+async function resolveBucketRegion(s3Client, bucket) {
+    try {
+        const response = await s3Client.send(new GetBucketLocationCommand({ Bucket: bucket }));
+        const location = response.LocationConstraint ? String(response.LocationConstraint) : "";
+        if (!location || location == "None")
+            return "us-east-1";
+        if (location === "EU")
+            return "eu-west-1";
+        return location;
+    }
+    catch {
+        return null;
+    }
+}
+function getAwsStatus(error) {
+    const value = error;
+    return value?.$metadata?.httpStatusCode || value?.statusCode || null;
+}
+function getAwsCode(error) {
+    const value = error;
+    return value?.name || value?.Code || value?.code || "UnknownError";
+}
+function isNotFoundBucketError(error) {
+    const code = getAwsCode(error);
+    const status = getAwsStatus(error);
+    return status === 404 || code === "NotFound" || code === "NoSuchBucket";
+}
+function isRegionMismatchError(error) {
+    const code = getAwsCode(error);
+    const status = getAwsStatus(error);
+    return status === 301 || code === "PermanentRedirect" || code === "AuthorizationHeaderMalformed" || code === "IncorrectEndpoint" || code === "IllegalLocationConstraintException";
+}
+async function ensureSingleBucket(s3Client, bucket, region) {
+    let created = false;
+    try {
+        await s3Client.send(new HeadBucketCommand({ Bucket: bucket }));
+    }
+    catch (error) {
+        if (isRegionMismatchError(error)) {
+            const actualRegion = await resolveBucketRegion(s3Client, bucket);
+            fail("AWS_REGION_MISMATCH", `Bucket ${bucket} exists in a different region.`, 1, {
+                bucket,
+                selectedRegion: region,
+                actualRegion,
+            });
+        }
+        if (!isNotFoundBucketError(error)) {
+            const message = error instanceof Error ? error.message : `Failed to inspect bucket ${bucket}.`;
+            fail("AWS_BUCKET_CREATE_FAILED", message, 1, { bucket, awsCode: getAwsCode(error), awsStatus: getAwsStatus(error) });
+        }
+        const input = region === "us-east-1"
+            ? { Bucket: bucket }
+            : { Bucket: bucket, CreateBucketConfiguration: { LocationConstraint: region } };
+        try {
+            await s3Client.send(new CreateBucketCommand(input));
+            created = true;
+        }
+        catch (createError) {
+            const code = getAwsCode(createError);
+            if (code !== "BucketAlreadyOwnedByYou") {
+                const message = createError instanceof Error ? createError.message : `Failed to create bucket ${bucket}.`;
+                fail("AWS_BUCKET_CREATE_FAILED", message, 1, { bucket, awsCode: code, awsStatus: getAwsStatus(createError) });
+            }
+        }
+    }
+    return {
+        bucket,
+        created,
+        updated: !created,
+        verified: true,
+        region: (await resolveBucketRegion(s3Client, bucket)) || region,
+    };
+}
+async function ensureTwoBuckets(region, credentials, buckets) {
+    const { s3Client } = createAwsClients(region, credentials);
+    return {
+        public: await ensureSingleBucket(s3Client, buckets.public, region),
+        private: await ensureSingleBucket(s3Client, buckets.private, region),
+    };
+}
+async function applyBucketSafety(region, credentials, buckets) {
+    const { s3Client } = createAwsClients(region, credentials);
+    const targets = [
+        { name: buckets.public, block: PUBLIC_ACCESS_BLOCK_PUBLIC },
+        { name: buckets.private, block: PUBLIC_ACCESS_BLOCK_PRIVATE },
+    ];
+    for (const target of targets) {
+        try {
+            await s3Client.send(new PutBucketOwnershipControlsCommand({
+                Bucket: target.name,
+                OwnershipControls: { Rules: [{ ObjectOwnership: "BucketOwnerEnforced" }] },
+            }));
+            await s3Client.send(new PutBucketEncryptionCommand({
+                Bucket: target.name,
+                ServerSideEncryptionConfiguration: {
+                    Rules: [{ ApplyServerSideEncryptionByDefault: { SSEAlgorithm: "AES256" } }],
+                },
+            }));
+            await s3Client.send(new PutPublicAccessBlockCommand({
+                Bucket: target.name,
+                PublicAccessBlockConfiguration: target.block,
+            }));
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : `Failed to apply safety defaults to ${target.name}.`;
+            fail("AWS_POLICY_APPLY_FAILED", message, 1, { bucket: target.name, awsCode: getAwsCode(error), awsStatus: getAwsStatus(error) });
+        }
+    }
+}
+async function applyBucketCors(region, credentials, buckets) {
+    const { s3Client } = createAwsClients(region, credentials);
+    for (const bucket of [buckets.public, buckets.private]) {
+        try {
+            await s3Client.send(new PutBucketCorsCommand({
+                Bucket: bucket,
+                CORSConfiguration: BUCKET_CORS_CONFIGURATION,
+            }));
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : `Failed to apply CORS to ${bucket}.`;
+            fail("AWS_POLICY_APPLY_FAILED", message, 1, { bucket, awsCode: getAwsCode(error), awsStatus: getAwsStatus(error) });
+        }
+    }
+}
+function buildPublicPolicy(bucket) {
+    const bucketArn = `arn:aws:s3:::${bucket}`;
+    const objectArn = `${bucketArn}/*`;
+    return {
+        Version: "2012-10-17",
+        Statement: [
+            {
+                Sid: "DenyInsecureTransport",
+                Effect: "Deny",
+                Principal: "*",
+                Action: "s3:*",
+                Resource: [bucketArn, objectArn],
+                Condition: { Bool: { "aws:SecureTransport": "false" } },
+            },
+            {
+                Sid: "AllowPublicReadObjects",
+                Effect: "Allow",
+                Principal: "*",
+                Action: "s3:GetObject",
+                Resource: objectArn,
+            },
+        ],
+    };
+}
+function buildPrivatePolicy(bucket) {
+    const bucketArn = `arn:aws:s3:::${bucket}`;
+    const objectArn = `${bucketArn}/*`;
+    return {
+        Version: "2012-10-17",
+        Statement: [
+            {
+                Sid: "DenyInsecureTransport",
+                Effect: "Deny",
+                Principal: "*",
+                Action: "s3:*",
+                Resource: [bucketArn, objectArn],
+                Condition: { Bool: { "aws:SecureTransport": "false" } },
+            },
+        ],
+    };
+}
+async function applyBucketPolicies(region, credentials, buckets) {
+    const { s3Client } = createAwsClients(region, credentials);
+    try {
+        await s3Client.send(new PutBucketPolicyCommand({ Bucket: buckets.public, Policy: JSON.stringify(buildPublicPolicy(buckets.public)) }));
+        await s3Client.send(new PutBucketPolicyCommand({ Bucket: buckets.private, Policy: JSON.stringify(buildPrivatePolicy(buckets.private)) }));
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "Failed to apply bucket policies.";
+        fail("AWS_POLICY_APPLY_FAILED", message, 1, { awsCode: getAwsCode(error), awsStatus: getAwsStatus(error) });
+    }
+}
+async function getBucketEvidence(s3Client, bucket, regionHint) {
+    await s3Client.send(new HeadBucketCommand({ Bucket: bucket }));
+    const bucketRegion = (await resolveBucketRegion(s3Client, bucket)) || regionHint;
+    const publicAccessBlockResponse = await s3Client.send(new GetPublicAccessBlockCommand({ Bucket: bucket }));
+    const encryptionResponse = await s3Client.send(new GetBucketEncryptionCommand({ Bucket: bucket }));
+    const ownershipResponse = await s3Client.send(new GetBucketOwnershipControlsCommand({ Bucket: bucket }));
+    const policyResponse = await s3Client.send(new GetBucketPolicyCommand({ Bucket: bucket }));
+    const corsResponse = await s3Client.send(new GetBucketCorsCommand({ Bucket: bucket }));
+    const policyText = typeof policyResponse.Policy === "string" ? policyResponse.Policy : "";
+    return {
+        bucketRegion,
+        publicAccessBlock: publicAccessBlockResponse.PublicAccessBlockConfiguration || null,
+        encryption: encryptionResponse.ServerSideEncryptionConfiguration?.Rules?.[0]?.ApplyServerSideEncryptionByDefault?.SSEAlgorithm || null,
+        ownershipControls: ownershipResponse.OwnershipControls?.Rules?.[0]?.ObjectOwnership || null,
+        policyApplied: Boolean(policyText),
+        hasPublicReadPolicy: policyText.includes("\"Action\":\"s3:GetObject\"") || policyText.includes("\"Action\":[\"s3:GetObject\"]"),
+        corsRules: corsResponse.CORSRules || [],
+    };
+}
+async function verifyTwoBuckets(region, credentials, buckets) {
+    const { s3Client } = createAwsClients(region, credentials);
+    const publicEvidence = await getBucketEvidence(s3Client, buckets.public, region);
+    const privateEvidence = await getBucketEvidence(s3Client, buckets.private, region);
+    const publicOk = publicEvidence.bucketRegion === region &&
+        publicEvidence.ownershipControls === "BucketOwnerEnforced" &&
+        publicEvidence.encryption === "AES256" &&
+        Boolean(publicEvidence.publicAccessBlock?.BlockPublicAcls) &&
+        Boolean(publicEvidence.publicAccessBlock?.IgnorePublicAcls) &&
+        publicEvidence.publicAccessBlock?.BlockPublicPolicy === false &&
+        publicEvidence.publicAccessBlock?.RestrictPublicBuckets === false &&
+        publicEvidence.policyApplied === true &&
+        publicEvidence.hasPublicReadPolicy === true &&
+        Array.isArray(publicEvidence.corsRules) && publicEvidence.corsRules.length > 0;
+    const privateOk = privateEvidence.bucketRegion === region &&
+        privateEvidence.ownershipControls === "BucketOwnerEnforced" &&
+        privateEvidence.encryption === "AES256" &&
+        Boolean(privateEvidence.publicAccessBlock?.BlockPublicAcls) &&
+        Boolean(privateEvidence.publicAccessBlock?.IgnorePublicAcls) &&
+        Boolean(privateEvidence.publicAccessBlock?.BlockPublicPolicy) &&
+        Boolean(privateEvidence.publicAccessBlock?.RestrictPublicBuckets) &&
+        privateEvidence.policyApplied === true &&
+        privateEvidence.hasPublicReadPolicy === false &&
+        Array.isArray(privateEvidence.corsRules) && privateEvidence.corsRules.length > 0;
+    if (!publicOk || !privateOk) {
+        fail("AWS_VERIFY_FAILED", "AWS S3 bucket configuration verification failed.", 1, {
+            publicBucket: buckets.public,
+            privateBucket: buckets.private,
+        });
+    }
+}
+function buildObjectUrl(bucket, region, key) {
+    const encoded = key.split("/").map((segment) => encodeURIComponent(segment)).join("/");
+    if (region === "us-east-1")
+        return `https://${bucket}.s3.amazonaws.com/${encoded}`;
+    return `https://${bucket}.s3.${region}.amazonaws.com/${encoded}`;
+}
+async function smokeTestBuckets(region, credentials, buckets) {
+    const { s3Client } = createAwsClients(region, credentials);
+    const runId = `run_${Date.now()}`;
+    const prefix = `${HEALTHCHECK_PREFIX}/${runId}`;
+    const publicKey = `${prefix}/public-probe.txt`;
+    const privateKey = `${prefix}/private-probe.txt`;
+    await s3Client.send(new PutObjectCommand({ Bucket: buckets.public, Key: publicKey, Body: "public healthcheck probe", ContentType: "text/plain" }));
+    await s3Client.send(new PutObjectCommand({ Bucket: buckets.private, Key: privateKey, Body: "private healthcheck probe", ContentType: "text/plain" }));
+    const publicList = await s3Client.send(new ListObjectsV2Command({ Bucket: buckets.public, Prefix: prefix }));
+    const privateList = await s3Client.send(new ListObjectsV2Command({ Bucket: buckets.private, Prefix: prefix }));
+    const listPassed = Number(publicList.KeyCount || 0) > 0 && Number(privateList.KeyCount || 0) > 0;
+    if (!listPassed) {
+        fail("AWS_SMOKE_TEST_FAILED", "AWS S3 smoke-test list operation did not return the uploaded healthcheck objects.", 1, { prefix });
+    }
+    const publicUrl = buildObjectUrl(buckets.public, region, publicKey);
+    const privateUrl = buildObjectUrl(buckets.private, region, privateKey);
+    const publicReadResponse = await fetch(publicUrl);
+    const privateReadResponse = await fetch(privateUrl);
+    const publicRead = publicReadResponse.ok;
+    const privateReadBlocked = !privateReadResponse.ok;
+    if (!publicRead || !privateReadBlocked) {
+        fail("AWS_SMOKE_TEST_FAILED", "AWS S3 smoke-test public/private read checks failed.", 1, {
+            publicReadStatus: publicReadResponse.status,
+            privateReadStatus: privateReadResponse.status,
+        });
+    }
+    await s3Client.send(new GetObjectCommand({ Bucket: buckets.private, Key: privateKey }));
+    await s3Client.send(new DeleteObjectCommand({ Bucket: buckets.public, Key: publicKey }));
+    await s3Client.send(new DeleteObjectCommand({ Bucket: buckets.private, Key: privateKey }));
+    return {
+        ok: true,
+        command: "storage smoke-test-s3",
+        runId,
+        prefix,
+        buckets,
+        upload: true,
+        list: true,
+        publicRead: true,
+        privateRead: true,
+        delete: true,
+        publicObjectUrl: publicUrl,
+    };
+}
+export async function checkS3Context(flags) {
+    const context = readAwsContext(flags);
+    if (context.missingKeys.length > 0) {
+        printJson({
+            ok: true,
+            command: "storage check-s3-context",
+            ready: false,
+            missingKeys: context.missingKeys,
+            presentKeys: context.presentKeys,
+            region: context.region,
+            expectedExisting: false,
+            checkedFiles: [path.basename(context.localEnv.envBootstrapPath), path.basename(context.localEnv.envLocalPath)],
+        });
+        return;
+    }
+    const identity = await validateCredentials(context.region, {
+        accessKeyId: context.accessKeyId,
+        secretAccessKey: context.secretAccessKey,
+        ...(context.sessionToken ? { sessionToken: context.sessionToken } : {}),
+    });
+    const buckets = deterministicBuckets({ accountId: identity.accountId, projectSlug: context.projectSlug });
+    printJson({
+        ok: true,
+        command: "storage check-s3-context",
+        ready: true,
+        missingKeys: [],
+        presentKeys: context.presentKeys,
+        region: context.region,
+        expectedExisting: false,
+        identity,
+        bucketPlan: buckets,
+        bucketSource: "generated_deterministic",
+        checkedFiles: [path.basename(context.localEnv.envBootstrapPath), path.basename(context.localEnv.envLocalPath)],
+    });
+}
+export async function setupS3Storage(flags) {
+    const context = readAwsContext(flags);
+    if (context.missingKeys.length > 0) {
+        fail("MISSING_ENV", `Missing required AWS values: ${context.missingKeys.join(", ")}. Add them to .env.bootstrap.local.`);
+    }
+    const credentials = {
+        accessKeyId: context.accessKeyId,
+        secretAccessKey: context.secretAccessKey,
+        ...(context.sessionToken ? { sessionToken: context.sessionToken } : {}),
+    };
+    const identity = await validateCredentials(context.region, credentials);
+    const buckets = deterministicBuckets({ accountId: identity.accountId, projectSlug: context.projectSlug });
+    const bucketResults = await ensureTwoBuckets(context.region, credentials, buckets);
+    await applyBucketSafety(context.region, credentials, buckets);
+    await applyBucketCors(context.region, credentials, buckets);
+    await applyBucketPolicies(context.region, credentials, buckets);
+    await verifyTwoBuckets(context.region, credentials, buckets);
+    mergeEnvFile(context.localEnv.envLocalPath, {
+        AWS_REGION: context.region,
+        AWS_S3_PUBLIC_BUCKET: buckets.public,
+        AWS_S3_PRIVATE_BUCKET: buckets.private,
+    });
+    printJson({
+        ok: true,
+        command: "storage setup-s3",
+        region: context.region,
+        identity,
+        bucketSource: "generated_deterministic",
+        buckets,
+        bucketsConfigured: [bucketResults.public, bucketResults.private],
+        safetyDefaultsApplied: true,
+        corsApplied: true,
+        policiesApplied: true,
+        verified: true,
+        envWritten: ["AWS_REGION", "AWS_S3_PUBLIC_BUCKET", "AWS_S3_PRIVATE_BUCKET"],
+    });
+}
+export async function smokeTestS3(flags) {
+    const context = readAwsContext(flags);
+    const publicBucket = context.localEnv.values.AWS_S3_PUBLIC_BUCKET || "";
+    const privateBucket = context.localEnv.values.AWS_S3_PRIVATE_BUCKET || "";
+    if (context.missingKeys.length > 0) {
+        fail("MISSING_ENV", `Missing required AWS values: ${context.missingKeys.join(", ")}. Add them to .env.bootstrap.local.`);
+    }
+    if (!isNonEmptyString(publicBucket) || !isNonEmptyString(privateBucket)) {
+        fail("MISSING_ENV", "AWS_S3_PUBLIC_BUCKET or AWS_S3_PRIVATE_BUCKET is missing. Run storage setup first so .env.local is populated.");
+    }
+    const credentials = {
+        accessKeyId: context.accessKeyId,
+        secretAccessKey: context.secretAccessKey,
+        ...(context.sessionToken ? { sessionToken: context.sessionToken } : {}),
+    };
+    await validateCredentials(context.region, credentials);
+    const result = await smokeTestBuckets(context.region, credentials, {
+        public: publicBucket.trim(),
+        private: privateBucket.trim(),
+    });
+    printJson(result);
+}
+export function __testOnlyDeterministicBuckets(projectSlug, accountId) {
+    return deterministicBuckets({ projectSlug, accountId });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecodemax/cli",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "VibeCodeMax CLI — local provider setup for bootstrap and project configuration",
   "type": "module",
   "bin": {
@@ -13,7 +13,8 @@
   ],
   "scripts": {
     "build": "tsc -p tsconfig.json",
-    "typecheck": "tsc -p tsconfig.json --noEmit"
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "npm run build && node --test test/*.test.mjs"
   },
   "engines": {
     "node": ">=20"
@@ -31,5 +32,9 @@
   "homepage": "https://github.com/VibeCodeMax/cli#readme",
   "bugs": {
     "url": "https://github.com/VibeCodeMax/cli/issues"
+  },
+  "dependencies": {
+    "@aws-sdk/client-s3": "^3.1029.0",
+    "@aws-sdk/client-sts": "^3.1029.0"
   }
 }